A Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted using the recently leaked Browser-in-Browser (BitB) technique as part of his credential phishing campaigns exploiting the ongoing Russian-Ukrainian conflict.

The method, which impersonates a legitimate domain by simulating a browser window within the browser, makes it possible to mount compelling social engineering campaigns.

“Ghostwriter actors quickly adopted this new technique, combining it with a previously observed technique, by hosting credential phishing landing pages on compromised sites,” said the Threat Analysis Group (TAG) from Google in a new report, using it to siphon off credentials entered by unsuspected victims. to a remote server.

Other groups using war as a lure in phishing and malware campaigns to trick targets into opening fraudulent emails or links include Mustang Panda and Scarab as well as state actors from Iran, South Korea North and Russia.

Curious Gorge, a hacking team that TAG assigned to the Chinese People’s Liberation Army Strategic Support Force (PLASSF), which orchestrated attacks on government and military organizations in Ukraine, Russia, Kazakhstan and in Mongolia, is also on the list.

A third set of attacks seen over the past two weeks came from a Russia-based hacking group known as COLDRIVER (aka Calisto). TAG said the actor organized credential phishing campaigns targeting several US-based NGOs and think tanks, the military of a Balkan country and an unnamed Ukrainian defense contractor.

“However, for the first time, TAG observed COLDRIVER campaigns targeting the militaries of several Eastern European countries, as well as a NATO Center of Excellence,” said TAG researcher Billy Leonard. . “These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.”

Viasat breaks down the February 24 attack

The disclosure comes as US telecommunications company Viasat unveiled details of a “multifaceted and deliberate” cyberattack against its KA-SAT network on February 24, 2022, coinciding with Russia’s military invasion of Ukraine.

The attack on satellite broadband service disconnected tens of thousands of modems from the network, affecting several customers in Ukraine and across Europe and affecting the operations of 5,800 wind turbines owned by German company Enercon in central Europe.

“We believe the purpose of the attack was to disrupt service,” the company explained. “There is no evidence that end-user data was accessed or compromised, nor that the customer’s personal equipment (PCs, mobile devices, etc.) was not accessed inappropriately, nor no evidence that the KA-SAT satellite itself or its ground support satellite infrastructure itself has been directly involved, altered or compromised.”

Viasat linked the attack to a “ground network intrusion” that exploited a misconfiguration in a VPN device to gain remote access to the KA-SAT network and execute destructive commands on modems that “overwritten data keys in flash memory”, rendering them temporarily unable to access the network.

Russian dissidents targeted by Cobalt Strike

The relentless attacks are the latest in a long list of malicious cyber activities that have emerged following the lingering conflict in Eastern Europe, with government and commercial networks suffering from a series of disruptive data-erasing infections in conjunction with a series of ongoing distributed attacks. denial of service (DDoS) attacks.

It also took the form of compromising legitimate WordPress sites to inject malicious JavaScript code in an attempt to carry out DDoS attacks against Ukrainian domains, according to researchers from the MalwareHunter team.

But it’s not just Ukraine. Malwarebytes Labs this week presented details of a new spear phishing campaign targeting Russian citizens and government entities with the aim of deploying nefarious payloads to compromised systems.

“Spear phishing emails warn people who use websites, social networks, instant messengers and VPN services that have been banned by the Russian government that criminal charges will be brought,” Hossein Jazi said. “Victims are tricked into opening a malicious attachment or link to learn more, only to be infected with Cobalt Strike.”

RTF documents containing malware contain an exploit for the widely abused MSHTML Remote Code Execution Vulnerability (CVE-2021-40444), leading to the execution of JavaScript code that generates a PowerShell command to download and run a Cobalt Strike beacon retrieved from a remote server.

Another group of activity potentially involves a Russian threat actor being tracked by the name of Carbon Spider (aka FIN7), which used a similar maldocs-oriented attack vector that is designed to drop a PowerShell-based backdoor capable of fetching and to run an executable for the next step.

Malwarebytes also said it detected a “significant increase in malware families used with the intent to steal information or otherwise gain access in Ukraine”, including Hacktool.LOIC, Ainslot Worm, FFDroider, Formbook, Remcos and Quasar RAT.

“While these families are all relatively common in the cybersecurity world, the fact that we saw spikes almost exactly when Russian troops crossed the Ukrainian border makes these developments interesting and unusual,” said Adam Kujawa, Director from Malwarebytes Labs, in a statement shared with Hacker News.